Question about list, tables and pfctl

Kei · Oct 6, 2019, 1:32 PM

Hello everyone,
I've setup my infrastructure to push via RADIUS (which resides to a different VM) some rules to every user upon OpneVPN connection.
All works ok, however I've noticed an odd behavior with the command pfctl:

If the rules pushed by RADIUS are too many, I see this output:

pfctl -a openvpn/firstname.lastname -sr
pass in quick on openvpn inet from any to <__automatic_41319fc_0> flags S/SA keep state

This "automatic_41319fc_0" thingy should be a table, so then I perform:

pfctl -t automatic_41319fc_0 -T show

However oddly enough, this is what I get:
pfctl: Table does not exist.

Could someone explain why is that?

stephenw10 · Oct 6, 2019, 3:30 PM

Do you actually see those rules in /tmp/rules.debug?

Kei · Oct 6, 2019, 9:05 PM

@stephenw10 said in Question about list, tables and pfctl:

/tmp/rules.debug

Apparently I dont see anything related to these rules in this file.
What bothers me is that if I have only one rule or two I can see them with the pfctl command:

pfctl -a openvpn/test1 -sr
pass in quick on openvpn inet from any to 192.168.2.0/24 flags S/SA keep state

What if I disable the mechanic by wich the rules are summarized? Provided I can / should...

stephenw10 · Oct 6, 2019, 10:15 PM

Ah, I see now they are anchors so you would need to drill down to see the tables. So maybe:
pfctl -a openvpn/test1 -t automatic_41319fc_0 -T show

There is also a php shell script to drill down all tables:
pfSsh.php playback pftabledrill

Steve

Kei · Oct 7, 2019, 12:09 AM

@stephenw10 said in Question about list, tables and pfctl:

pfctl -a openvpn/test1 -t automatic_41319fc_0 -T show

pfctl -a openvpn/test1 -t __automatic_41319fc_0 -T show

did it!!! thank you!!!